Excellent point, Don.

What you failed to mention, however, is the motivation behind lazy SDLC practices -- many development team managers dislike or even disdain security, in the same way that most people dislike eating green vegetables with their meal. People who take an active interest in securing their technical handiwork are as rare as people who enjoy eating green vegetables.

It is a strong temptation for development managers to ignore security. There is a certain thrill to them for running and risk, and especially for getting away with it. If you've ever kept an overdue movie or library book, only for the lender to forget to fine you, then you'll know what I'm talking about.
Software Developers who skimp on security feel like they're saving money and (quite irrationally) thwarting the security process. Additionally, they probably feel that if they ignore security, then security problems might just go away.

Given the cost of security and the management overhead, I doubt that this is something that will change in the next twenty years.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/476/35099#35099